National Cybersecurity Awareness Month: Manage Your Risk at Home with Simple Tweaks to Your Voice-Controlled Devices

October is now in full swing—a month of flannels, falling leaves, and forming better security habits as part of National Cybersecurity Awareness Month (NCSAM). This government and industry initiative aims to provide education on how to stay safer and more secure while online, as well as boost the country’s resilience to cyber-threats. Over the course of the month, we will discuss topics such as educating for a career in cybersecurity, ensuring online safety at work, and securing the nation’s most critical infrastructure.

In this week’s post, Deral Heiland, Research Lead – IoT at Rapid7, will dive into how you can boost security in your home through a few simple tweaks to your voice-controlled devices.

I have had several conversations recently around whether you should use voice-controlled systems in your home. The true answer to this question comes down to whether you personally feel comfortable with these technologies, but if you do embrace them, I encourage you to use them wisely to reduce any security risks and vulnerabilities they may create.

Let’s take a look at the Amazon Echo Dot and Google Home Mini. If you haven’t used either of these products before, I recommend taking a look. I currently have several Amazon Echo Dots around my house for playing music, streaming the radio, checking the weather, setting alarms, controlling lights and fans in my house, and asking any odd questions I am too lazy to type into a Google search.

These are only a few examples of the tasks these technologies can help with—but they do still come with risk. The good news is that there are a couple of simple steps you can take to help reduce some concerns surrounding voice-controlled systems:

Switch up your wake word

When talking about products like the Amazon Echo, people regularly ask me, “Does this tech listen to everything I say?” Well, yes and no. The technology is listening for a wake word, which activates the device and triggers it to send what follows to the internet to be processed and stored so the device can hopefully respond with an answer or the requested action. This is the way it was designed, and if used properly, I feel it has limited and definitely manageable risk.

By default, the Echo’s wake word is “Alexa.” Everyone now knows this wake word, and there have been a number of documented incidents where the device carried out an action such as attempting to order products because a show on a nearby television said, “Alexa.” The Amazon Echo can also be activated by anyone in or outside your house who says, “Alexa,” or even an incoming call on your landline phone answering machine, if the volume is set high enough to hear the incoming caller.

The way to combat this is to change the wake word. Although this isn’t a perfect solution, it does obfuscate the attack surface. Currently, the Amazon Echo supports four wake words: “Echo,” “Alexa,” “Amazon,” and “Computer,” as shown below:

Figure 1: Change Wake Word

You can also limit risk around voice ordering by setting a PIN that will ensure no purchases or payments are made without your explicit permission.

Figure 2: Voice Purchasing

In the case of the Google Home Mini, there is no way to switch between different wake words. The product current wakes via “Hey, Google” or “OK, Google,” which I find awkward to say. But, to have a little fun, I also found out that the device will awaken to “Hey, Boo-Boo” if you want to be different.

Confirm when your device is listening

Another concerning issue is that the wake word on the Amazon Echo can still be accidentally and randomly triggered from sounds and voices from many sources, which means anything I say after the wake word triggers the device and could get sent to the internet. In the privacy of my home, I want my comments and conversations to remain private.

In one recent example, an Amazon Echo recorded a conversation and sent it as a message to someone in the owner’s address book—an incident surely no one wants. Amazon took some action to prevent these types of accidents from occurring, but what can we do to reduce the risk of private information being accidentally recorded? The way I do this is to have the Amazon Echo alert me when the wake word is heard by emitting an audible tone that indicates it is in recording/processing mode.

Figure 3: Request Sound

This way, I know that the Amazon Echo is active and I can stop talking until it emits another audible tone indicating the recording/processing function has concluded.

With the Google Home Mini, I have noticed there have been fewer times the wake word has been accidentally triggered. This might be because the wake word “Hey” or “Go” must be combined with “Google.” Either way, the Google Home Mini also has a setting that enables an audible tone to indicate when recording/processing has been activated. This can be enabled on the device using the Google Home mobile app’s “Device Setting” under “Accessibility.

Figure 4: Google Home Accessibility

These small adjustments may not be the be all and end all for security, but they do help. Now I know that if someone attempts an attack against my device with the default wake word “Alexa,” it will not work. Also, when I hear that tone from my Amazon Echo Dot or Google Home Mini, I know to stop talking until it concludes with another audible tone. All it takes are just a couple of simple configuration changes to help you reduce a few areas of risk and leverage your technology with more comfort.

Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.

Promoted Content

30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR

Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate.
From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network.
InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.